Untangle partially hangs

Printable View

11-29-2021, 06:43 AM
frust

Untangle partially hangs

Hi all,
since a few days I see partial hanging untangle. Some hosts won't be reachable then. (in our case most of the time upstream ldap and mail servers) get out of reach, preventing login and mail...

Always if this happens I see following in kern.log:

Code:

Mon Nov 29 13:47:02 2021] WARNING (unknown src intf):IN=tun0 OUT= MAC= SRC=172.16.137.10 DST=111.222.000.60 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=61010 DPT=443 WINDOW=2026 RES=0x00 ACK URGP=0 MARK=0x200 [Mon Nov 29 13:47:02 2021] WARNING (unknown src intf):IN=tun0 OUT= MAC= SRC=172.16.137.10 DST=111.222.000.60 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=61010 DPT=443 WINDOW=2025 RES=0x00 ACK URGP=0 MARK=0x200

(DST anonymized)

The message has nothing to do with the real blocked connections!
They only appear simultaneously.

So in my expirience, when untangle starts losing interface information, bad things happen everywhere.

The question is: might it be a software problem or might it be a hardware problem (about 10-12 year old server machine)???

Any suggestions, or same experience?
Thanks in advance,
Frank
11-29-2021, 07:22 AM
sky-knight

Debian has been dropping support for ancient hardware, my best guess is your NICs are falling off the back end and have crap drivers.

What NICs are in there?
11-30-2021, 12:04 AM
frust

Code:

# lspci|grep Ethernet 03:00.0 Ethernet controller: Broadcom Limited NetXtreme II BCM5708 Gigabit Ethernet (rev 12) 07:00.0 Ethernet controller: Broadcom Limited NetXtreme II BCM5708 Gigabit Ethernet (rev 12) 0c:00.0 Ethernet controller: Intel Corporation 82575GB Gigabit Network Connection (rev 02) 0c:00.1 Ethernet controller: Intel Corporation 82575GB Gigabit Network Connection (rev 02) 0d:00.0 Ethernet controller: Intel Corporation 82575GB Gigabit Network Connection (rev 02) 0d:00.1 Ethernet controller: Intel Corporation 82575GB Gigabit Network Connection (rev 02) 11:00.0 Ethernet controller: Intel Corporation 82575GB Gigabit Network Connection (rev 02) 11:00.1 Ethernet controller: Intel Corporation 82575GB Gigabit Network Connection (rev 02) 12:00.0 Ethernet controller: Intel Corporation 82575GB Gigabit Network Connection (rev 02) 12:00.1 Ethernet controller: Intel Corporation 82575GB Gigabit Network Connection (rev 02)
11-30-2021, 01:18 AM
sky-knight

The Intels are good, I've got a ton of those out myself. And I don't mean similar, I mean that specific chipset. Now the Broadcoms... those can get squirrely sometimes with the way they do their firmware.

Are you useing the Broadcoms?
11-30-2021, 04:49 AM
frust

Quote:

Originally Posted by sky-knight

...Now the Broadcoms... those can get squirrely sometimes with the way they do their firmware.

Are you useing the Broadcoms?

Yes they are in use.

Detection and startup of the Broadcom from dmesg:

Code:

[Mon Nov 29 13:53:43 2021] bnx2: QLogic bnx2 Gigabit Ethernet Driver v2.2.6 (January 29, 2014) [Mon Nov 29 13:53:43 2021] bnx2 0000:03:00.0 eth0: Broadcom NetXtreme II BCM5708 1000Base-T (B2) PCI-X 64-bit 133MHz found at mem da000000, IRQ 16, node addr 00:1e:c9:e4:18:10 [Mon Nov 29 13:53:43 2021] dca service started, version 1.12.1 [Mon Nov 29 13:53:43 2021] SCSI subsystem initialized [Mon Nov 29 13:53:43 2021] bnx2 0000:07:00.0 eth1: Broadcom NetXtreme II BCM5708 1000Base-T (B2) PCI-X 64-bit 133MHz found at mem d6000000, IRQ 16, node addr 00:1e:c9:e4:18:12 (...) [Mon Nov 29 13:53:57 2021] bnx2 0000:07:00.0: firmware: direct-loading firmware bnx2/bnx2-mips-06-6.2.3.fw [Mon Nov 29 13:53:57 2021] bnx2 0000:07:00.0: firmware: direct-loading firmware bnx2/bnx2-rv2p-06-6.0.15.fw bnx2 0000:07:00.0 eth1: using MSI (...) bnx2 0000:07:00.0 eth1: NIC Copper Link is Up, 1000 Mbps full duplex [Mon Nov 29 13:54:03 2021] bnx2 0000:03:00.0 eth0: NIC Copper Link is Up, 1000 Mbps full duplex

EDIT:
I am wondering why there are two different firmares for 0000:07:00.0 and none for 0000:03:00.0
11-30-2021, 07:57 AM
sky-knight

How many interfaces do you have in use? Is it possible to reconfigure to the Intels only?

Note, I'm unable to do much more other than suggest you swap NIC and see if the issue goes away, hardware support does change over time. Though typically this sort of thing comes up after a kernel level update, which we haven't had in quite some time.
12-01-2021, 12:11 AM
frust

Quote:

Originally Posted by sky-knight

How many interfaces do you have in use? Is it possible to reconfigure to the Intels only?
(...)

Yes, there are 7 Interfaces in use, so I could give it a try.
Meanwhile we are thinking about a new hardware (the server is running since 2008, as a firewall since 2016 !)...

Thanks for your help!